If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

[Tutorial] Memory Remanence Attack

This is a tutorial for implimenting a memory remanence attack via LiveUSB, with a long explanation beforehand. It'd be posted in the tutorials section, but my account is new and I'm too lazy to come back in three days when I can post there or whatever arbitrary limit there is. I'd appreciate a mod moving this thread over, and fixing the links so they aren't in quotes... Anyways. Onto the goods.

---

A "memory remanence attack", put simply, is dumping the RAM contents of a computer - after a reboot, or even after removing it from your computer. Yes yes, DRAM is volatile, but to quell the voices in your head I'll link to some backround early on, and explain things. I'm 20 and have no formal education in the field so I may mess up a few details, but this is accurate to the best of my knowledge, observations, and experiences. Don't bite my head off, just point out any issues and I'll edit my post.

Please read this link before continuing:

citp.princeton.edu/memory/

As the link above shows, it is possible to dump the contents of RAM after power is removed. While the data in RAM is quickly lost, the loss happens over a period longer than your average reboot. When you reboot your desktop - depending on the configuration - the power supply breaks(in the sense of a switch) the electronic circut on the motherboard required to supply power to the RAM and CPU by turning off a transistor. Potential difference(voltage) in the primary path of the circut is lost(this can be seen with a multimeter), capacitors start self discharging at a high rate - leading to a neutral charge the circut in about 10 seconds. This is why your ram loses it's data - it is essentially a bank of capacitors(albeit highly specialized) - and about how long the data has to live.

Other times, RAM has longer to live. Like I indirectly said above, not all computers remove power so abruptly. Some(if not many, I don't know as I don't have many test samples) desktops use the same methods of shutting down as laptops, leaving power in the circut as there is less drain. Modern laptops shut down via ACPI/BIOS calls which are more graceful, and modern laptop components have much lower drain than their desktop counterparts. Even after the laptop(atleast the ones I've got access to test) is shut off, there is still peak(operating) power within the circut for awhile, and even when "fully powered down" the laptop still maintains a steady charge in the circut(although lower than operating) thanks to the battery and more efficient electronic components. This leads to RAM life with little corruption for up to 15 minutes without requiring cooling.

Now we're on that topic... cooling. If you read the above link, and browsed around, you noticed them going nuts with duster and liquid nitrogen. The reasoning behind this is that electronic components discharge potential difference rather rapidly at room temperature. When cooled, the capacitors(I don't believe they're technically called capacitors in EE, but a more specific term, someone remind me of it please) in your RAM discharge slower than at operating temperatures, meaning the bits remain intact, and the circutry can still detect them. Supposedly they did an hour without signifigant degredation while using liquid nitrogen to cool the RAM, but computer duster works just fine.

I will say that not all duster is created equally. Don't spray duster directly on your laptop the way they do, you may short it out. Some propellants used may be conductive, and if you're anywhere humid the resulting condensation is definitely conductive. Make a custom heatsink or something and spray that.

Anyways, the resulting information recovered from RAM can be very useful, and widely varied. Chat sessions that you had days ago remain in memory, your operating system keeps a disk cache, and your browser keeps an image cache. This allows previous "secure" conversations to be recovered, or your porn niche determined... or whatever else you're worried about. Onto the goodies!

Before I get started, visit the following URL and download msramdmp.tar.gz

mcgrewsecurity.com/projects/msramdmp/

Making your backtrack USB key do this is handy, but it requires you to sacrifice some space. I've got an 8gb USB drive so it doesn't matter much to me, but it may to you. Alternatively you can carry around a seperate USB drive to do this with. You're going to need to resize your fat32 partition to make room - this can be done while booted off it, but is highly discouraged. Do it at your own risk, and backup first.

Now, onto the parts that applies to everyone. You've got to resize your USB drive(if using the same one as backtrack) in order to use this. Thankfully, backtrack comes with "qtparted". Type qtparted into the run menu down below, or konsole, or where ever. Your harddrives will be listed on the right tree. Click on /dev/sda(or whatever your USB device is). Verify that this is the partition you're looking to resize(Look at the total size, is it the same size as your USB key in the "end" collum?). Right click on the graph up top, and click on "resize".

Most computers you come across will have 512mb to 1gb of RAM, but the maximum addressable space by a 32bit operating system(ignoring PAE, we're talking windows here after all. 64 bit windows installs are few and far inbetween) is 2^32 bytes, or 4gb. If you've got the room on your drive and you want to be prepared, go with 4gb.

Type into qtparted how much space you want left over after creation. I went with 1.1gb myself, having a bit extra space is not only a bad thing, but recommended.

View this image if you're confused.

img148.imageshack.us/img148/8158/qtpartedsb1.png

Click OK.

Right click uptop in the newly grey area that represents free space, and click on "create". It does not matter what filing system you put on it, just click "ok" for all I care. Take up 100% of the free space of the device(the default action), and make sure it's a primary partition.

Now that you've got your two partitions, reverify that this is what you would like to do. Up top, click on "device", and then "commit". Wait patiently.

Now that we've got our two partitions, pop open konsole. Type the following into it:

fdisk /dev/sda

Hit P, and enter. View the partition table. Make note of this table. /dev/sda1 is partition 1, /dev/sda2 is partition 2, so on and so forth.

Hit T, then enter. Type the partition that you just created, and make sure that it's not the one with the boot flag set. It should be partition number 2.

Type in 40. This part you will have to do after each attack because the program used to do it changes the ID to 41 instead of 40 - this is so that you can have multiple partitions to dump to.

Hit W, and enter.

If you were booted off your USB drive when you did this, reboot before continuing on.

Extract msramdmp.tar.gz to a folder - in windows you can do this with WinRAR, use tar -xzvf <archive> in linux.

copy msramdmp.c32 to \boot\ on your USB key.

Open \boot\syslinux\syslinux.cfg in a text editor, and add the following lines to the file, and save it:

Do what you want with the dump. You can use the "strings /dev/sda2" command to see text-like strings, or use foremost/magicrescue on the device to see what's in the diskcache. If you want to go through it byte for byte in an editor, you can type "hexedit -d /dev/sda2"

Copy the dump to a normal file with "dd if=/dev/sda2 of=/tmp/fileyouwant"

When you've retrieved the dump, remember to prepare your USB key for the next time by fdisking it as noted above, and zero out(erase) the partition. "dd if=/dev/zero of=/dev/sda2"

Screenshots:

img528.imageshack.us/img528/3601/memoryremenancevx2.png

img522.imageshack.us/img522/2483/memoryremenancefilecarvne2.png

Note that not every computer will allow you to do this, because of POST or ECC. To (attempt) to prevent it, enter the bios and turn POST to full. Turn off any quick boot features.

I thought I'd point out a few things, one is that it sort of sounds like I'm suggesting that desktop PSUs aren't using transistors to turn off - they are. Some use relays or physical switches that require you to press them, but that's found in older AT powersupplys mostly.

Second, while enabling a full POST or using ECC RAM will wipe out the RAM when booted *on that motherboard*, the RAM can still be taken out of the motherboard, put into another one, and the dump can be done from that. There are boards that *take* ECC, but don't actually use ECC, thus they never zero out the memory to ensure parity. Thus, at this time, no matter what you do, your RAM can be dumped if someone has physical access to your machine

Well son of a gun... well done! I have been thinking about writing a tutorial about this very topic for the last few months, but since work seems to get in the way of my play time I never had the opportunity!